$ssl_client_s_dn
The $ssl_client_s_dn variable contains the subject distinguished name from the client's SSL certificate.
Description
The $ssl_client_s_dn variable is populated when the client presents a valid SSL/TLS certificate during the SSL handshake process, and it contains the distinguished name (DN) of the client specified in that certificate. This variable is derived from the client's certificate and provides a way to identify the certificate holder by presenting the attributes of the distinguished name, which typically includes information like the common name, organization, country, and other relevant fields. The presence and content of this variable depend on the ssl_verify_client directive being set to either "on" or "optional", which ensures that NGINX requires or requests a client certificate. Only when a valid client certificate is successfully verified does this variable become available in NGINX context.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_verify_client on;
location / {
if ($ssl_client_s_dn) {
add_header X-Client-DN $ssl_client_s_dn;
}
}
}Ensure that ssl_verify_client is set to on or optional for this variable to be populated.
If no client certificate is provided, $ssl_client_s_dn will be empty.
Remember that this variable is only accessible in contexts where SSL is enabled.